On Mon, Aug 22, 2022 at 10:33 PM Gaosheng Cui <ecronic(a)outlook.com> wrote:
Thanks for your reply.
This is a personal idea of mine,in the process of using audit,I find that if the audit
rules are configured too much,or the server hard-disk performance is too poor,hitting a
rate limit will be easy to occur,then some logs would be dropped directly.
I think we should print the record to the console,just likely the last thing we want to
do,better play the role of audit,and improve kernel security.
I hope that will be helpful,thanks.
Yes, thank you for the additional information on your environment and
use case. As I'm sure you already know, the audit rate limit, backlog
queue depth, and other related tunables can all be configured at boot
or runtime to help ensure that the system remains responsive in the
face of higher audit loads.
--
paul-moore.com